Re: radvd 1.8.2 released with security fixes

[Reuben Hawkins <reubenhwk () gmail com>]

On Wed, Oct 12, 2011 at 3:09 AM, Vasiliy Kulikov <segoon () openwall com> wrote:
> On Tue, Oct 11, 2011 at 23:26 -0700, Reuben Hawkins wrote:
> > On Sat, Oct 8, 2011 at 9:55 AM, Vasiliy Kulikov <segoon () openwall com> wrote:
> > > Crap, thank you for noticing it, guys.  The fix should be:
> > >
> > > https://github.com/reubenhwk/radvd/commit/7a1471b62da88373e8f4209d503307c5d841b81f
> > >
> > > Now, "", "..", "." and filenames with "/" inside are denied.
>
> In case someone didn't fully track the discussion thread, I'll sum it up -
>
> In the original patch the variable name is typoed/confused - the check
> should be against "iface" instead of "name".  The check against "name"
> is totally wrong as it checks a static hint string, which always passes
> the check.
>
> The confused blacklisted iface set is a bug, but not a security bug;
> the confused variable name is indeed a security bug (not a flaw per se,
> but it greatly weakens the privsep model).
>
>
> Thanks to Solar Designer for pointing out that this thing is probably
> not clear to everybody.
>
> --
> Vasiliy Kulikov
> http://www.openwall.com - bringing security into open computing environments

radvd-1.8.3 posted.